Nmap Development mailing list archives
Re: Ncrack imap+pop3 module patch
From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Wed, 17 Feb 2010 03:52:26 +0200
On 02/05/2010 02:53 AM, Bucsay Balázs wrote:
Hi! Tonight i made one patch to the ncrack (from svn). Now it supports IMAPv4 and POP3, of course with ssl too. You can download it from here: http://rycon.hu/tools/ncrack-0.01ALPHA-SVN-pop3imap.diff.gz If you want modify it, and merge it to the orginal source. I hope you can use it :) Balázs Bucsay http://rycon.hu/
I just went through your code more thoroughly. Here are the points that need further inquiry and modification: 1) Use of the con->iobuf system is deprecated. It will be completely removed once I get rid of it in the telnet module. The latest version of Ncrack uses two distinct buffers for I/O: inbuf for incoming data and outbuf for outgoing data. The latter is essential due to the way Nsock works. It is wrong to give nsock_write a buffer that has been allocated on the stack and that will have already died out of scope when the internal nsock handlers operate on the buffer. The buffer needs to be dynamically allocated and a pointer to it must be given to nsock_write() as argument. Hence, the need for a separate outbuf. 2) In your pop3_response_parser() you are also looking for multiline answers. However, according to RFC 1939, multi-line responses occur only to certain commands and the authentication ones are not included in them: "Responses to certain commands are multi-line. In these cases, which are clearly indicated below, after sending the first line of the response and a CRLF, any additional lines are sent, each terminated by a CRLF pair." In addition, the server greeting is one-line: "Once the TCP connection has been opened by a POP3 client, the POP3 server issues a one line greeting. This can be any positive response. An example might be:" Have you noticed any occurrences where the multi-line detection was needed? If not, then we should not bother with that check. 3) Proper indentation: * 80 char limit for line-wrap (OK) * tabs converted to spaces (every tab is 2 spaces) in vim I usually do this: :set tabstop=2 shiftwidth=2 expandtab :%retab * functions definitions should have the function name in the line after the returning variable (and any additional qualifiers like static) 4) It is possible for the server to respond with a -ERR for the USER command indicating that the provided username is not valid. "Possible Responses: +OK name is a valid mailbox -ERR never heard of mailbox name Examples: C: USER frated S: -ERR sorry, no mailbox for frated here ... C: USER mrose S: +OK mrose is a real hoopy frood" In your code, you assume that any answer other than "+OK" is an indication of a protocol error leading to the termination of the module. However we should take into account the above possibility. 5) POP3 supports other methods of authentication like APOP. Have you considered about a possible implementation of these in the module? You can generally get a listing of the supported authentication types of the server by issuing the CAPA (capabilities) command as noted by POP3 Extension Mechanism in RFC 2449. Note that for APOP specifically: "Note that there is no APOP capability, even though APOP is an optional command in [POP3].Clients discover server support of APOP by the presence in the greeting banner of an initial challenge enclosed in angle brackets ("<>")." I have attached the revised (for points 1 and 3) ncrack_pop3.cc Can you work on points 2 and 4 (and even better on 5 too)? The ncrack_imap.cc should follow the same paradigm. Cheers, ithilgore
Attachment:
ncrack_pop3.cc
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Ncrack imap+pop3 module patch Bucsay Balázs (Feb 04)
- Re: Ncrack imap+pop3 module patch ithilgore (Feb 05)
- Re: Ncrack imap+pop3 module patch ithilgore (Feb 16)